LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-19-2002, 11:09 PM   #1
IRQ14
LQ Newbie
 
Registered: Dec 2001
Posts: 9

Rep: Reputation: 0
Firewall HELP


Hey... I need some help setting up a firewall which will allow only specific ip's to access my ftp.
The ftp server is running of a windows 2000 machine. I'm forwarding a port from the linux box to the windows 2000 machine for the ftp service. Here's the code for the ftp forwarding:
iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21

I've tried using the hosts.allow and hosts.deny for this but it didn't work.. unless i did it wrong.

Also the goal is to make it seem that the ftp doesn't exist when un-authorized users try to connect... ie:
Connecting to 24.xxx.xxx.xxx
Connection Failed

Please help
Thanks.
 
Old 01-20-2002, 12:36 PM   #2
theFuzzyOne
Member
 
Registered: Dec 2001
Distribution: redhat
Posts: 154

Rep: Reputation: 30
have you tried ftp'ing with your firewall open (allow everything) to see if your port forwarding is working? you may need to add additional rules to make that happen. can you ftp from the linux box to the w2k server?
 
Old 01-20-2002, 02:29 PM   #3
IRQ14
LQ Newbie
 
Registered: Dec 2001
Posts: 9

Original Poster
Rep: Reputation: 0
ftp is working with no problems at all... the only thing is I need to allow only a few users to access the site.
Right now the ftp is allowing who ever has the password and username to access the site.

I tried doing:

iptables -t nat -A PREROUTING -i eth0 -p TCP -s 24.101.208.98 --dport 654 -j ACCEPT
and
iptables -t nat -A PREROUTING -j DROP
and then
iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21

meaning that anyone coming in with 24.101.208.98 ip will be accepted... anyone else the connection will drop
but that didn't work
it dropped all incoming connections to the ftp and didn't allow the user with the 24.101.208.98 ip to access.

Last edited by IRQ14; 01-20-2002 at 02:31 PM.
 
Old 01-20-2002, 02:32 PM   #4
theFuzzyOne
Member
 
Registered: Dec 2001
Distribution: redhat
Posts: 154

Rep: Reputation: 30
port number? --dport 21 perhaps?
 
Old 01-20-2002, 02:35 PM   #5
IRQ14
LQ Newbie
 
Registered: Dec 2001
Posts: 9

Original Poster
Rep: Reputation: 0
why would it be 21?
the outside port which people use to connect to the ftp would be 654... whatever is coming in on 654 will be redirected to port 21... so what i need to do is stop unauthorized ips from getting in with port 654
 
Old 01-20-2002, 02:36 PM   #6
IRQ14
LQ Newbie
 
Registered: Dec 2001
Posts: 9

Original Poster
Rep: Reputation: 0
but then again what your saying does make sense
whatever's coming in on 654 is destined to port 21 and those packets should be dropped
 
Old 01-21-2002, 05:41 AM   #7
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Block it at the input rule.
The packets go prerouting then input.

So you would have the rules.
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -p igmp -j DROP

iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21

iptables -A INPUT -i eth0 -p tcp -s 24.101.208.98 --sport 1024:65535 -d your_firewalls_ip_address --dport 654 -j ACCEPT

iptables -A INPUT -p ALL -i eth1 -s 192.169.0.0/24 -j ACCEPT

+ you need to do the rest of the firewall rules to get other services working.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BSD Firewall vs Linux Firewall ? rootlinux Linux - Security 5 08-29-2007 07:38 AM
Firewall lets ips which are not in the firewall ... why ? sys7em Linux - Networking 2 06-30-2005 12:50 PM
Firewall with features of a Sidewinder firewall? abcampa Linux - Security 4 04-22-2005 04:24 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 12:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration